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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to communication(s) filed on 28 February 2005 . 
2a)D This action is FINAL. 2b)|3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) IEl Claim(s) 1-17 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-17 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 
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9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
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application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

1. Claims 1-17 are pending. 

Reopening of Prosecution - New Ground of Rejection After Appeal 

2. In view of the Appeal Brief filed on 2/28/2005, PROSECUTION IS HEREBY 
REOPENED. A new ground of rejection set forth below. 

To avoid abandonment of the application, appellant must exercise one of the following 
two options: 

(1) file a reply under 37 CFR 1 . 1 1 1 ; or, 

(2) request reinstatement of the appeal. 

If reinstatement of the appeal is requested, such request must be accompanied by a 
supplemental appeal brief, but no new amendments, affidavits (37 CFR 1 . 130, 1 . 13 1 or 
1 . 132) or other evidence are permitted. See 37 CFR 1 .193(b)(2). 

Claim Rejections - 35 USC § 102 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 35 1(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

3. Claims 1-6, 8-13, 15-17 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Grantges (USP 6,324,648) or Win et al. (USP 6,182,142, hereinafter "Win") 

As per claims 8 and 17, Grantges and Win teach an authentication method and computer 
program product at a firewall [Grantges, col. 5, lines 40-57, Check Point One firewall, see also 
abstract, Figures 1 and 8 and associated texts, see also Win, col. 2, lines 24-40, col. 4, lines 56- 
61, discloses that registry server 108 is protected using a firewall 118], comprising the steps of: 
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(a) receiving a network resource request from a client user [Grantges , col. 8, lines 
15-28, Win, col 2,31-32]; 

(b) querying [Grantges , col. 9, lines 6-18, Win, col 10, col Lines 53-65, i.e. after 
the client is authenticated, the module 414 calls Authorization service of the Access server . In 
response , the authorization service requests profile information about the user from the registry 
server], using a network protocol, at least one directory [Grantges's LADP, Win, col. 12, lines 
46-67 discloses directory repository configured to store an entity's organization] that is 
configured to store information concerning an entity's organization, wherein said query is based 
upon an authorization filter [col. 11, lines 13-33, an authorization plug- in 42 queries 
authorization server containing LADP server, and determines the application for which access by 
the user is authorized and builds authentication cookie 90 and application list cookie 92, Win, 
col. 11, line 59 through col. 12, line 10, discloses an access menu module 412 which uses 
personalized menu service to build a list of resources a that the user is authorized to access 
according to user profile information] that is generated based on a directory schema [tree 
structured LADP and Registry Repository ] that is predefined by said entity; 

(c) determining, based on the results of said query, whether the contents of at least 
part of one or more entries in said at least one directory satisfy said authorization filter 
[Grantges, col. 1 1, lines 15-19, authorization plug-in 42 determines the authorized applications 
for the user 18, Win, col. 10, lines 63-64, the authorization service creates a "user cookie" and 
"roles cookie" to convey profile information to a the browser]; and 

(d) Permitting said network resource request through said firewall if said 
authorization filter is satisfied [Grantges ,col. 11, lines 12-43, the plug-in (42) then through 



Application/Control Number: 09/495, 1 57 Page 4 

Art Unit: 2131 

gateway proxy server 40 transmits cookies 90 and 92 to client computer 22, Win, col. 8, lines 56- 
61]. 

As per claim 1, Grantges and Win teaches a system for authorizing client access to a 
network resource, comprising: 

a server [Grantges , col. col. 7, lines 37-44, an authorization server] having at least one 
directory [LDAP-capable server, light weight directory access protocol, Win, col. 12, lines 24- 
25, i.e. registry server managing a registry repository] that can be accessed using a network 
protocol, said at least one directory being configured to store information concerning an entity's 
organization [Grantges ,col. 7, lines 39-44, i.e. X.509 digital certificate, the identification of 
applications to which access by the user has been authorized by an application trustee, and a 
gateway user identification(ID), Win, col. 12, lines 46-54]; 

and a firewall [Grantges, col. 5, lines 40-57, such as Check Point One firewall, Win, col. 
22, lines 40-53] that is configured to intercept network resource requests from a plurality of 
client users [Grantges, col. 8, lines 15-28], said firewall being operative to authorize a network 
resource request based upon a comparison of the contents of at least part of one or more entries 
in said at least one directory to an authorization filter, wherein said authorization filter is 
generated based on a directory schema that is predefined by said entity [Grantges , col. 11, lines 
12-43, i.e. an authorization plug-in (42) queries authorization server (46) and determines the 
application for which access by the user is authorized and builds authentication cookie 90 and 
application list cookie 92. The plug-in (42) then through gateway proxy server 40 transmits 
cookies 90 and 92 to client computer 22, Win, col. 11, line 59 through col. 12, line 10, discloses 
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an access menu module 412 which uses personalized menu service to build a list of resources 
that the user is authorized to access according to user profile information] 

As per claim 2 and 9, Grantges and Win teach the system/method of claims 1 and 8 
respectively, wherein said at least one directory is a lightweight directory access protocol 
directory [Grantges, col. 7, lines 36-37, Win, col. 12, lines 55-62]. 

As per claim 3 and 10, Grantges and Win teach the system of claims 1 and 8 
respectively, wherein said authorization filter is specified using a graphical user interface 
[Grantges, col 11, line 13, authorization plug-in 42, Win, col. 12, lines 3-10]. 

As per claims 4-5, and 11-12, Grantges and Win teach system/method of claims 1 and 8 
respectively, wherein said authorization filter implements a per-user authentication scheme 
[Grantges, col.. 8, lines 10-11, that is the authentication of the user, see also col. 11, lines 33-34, 
authentication cookie 90, Win, col. 10, lines 64-65 (User cookie)] and, wherein said 
authorization filter implements a per service authentication scheme [Grantges, col. 8, lines 12-13, 
see also col. 11, lines 33-34 for application list cookie 92, Win, col. 10, lines 64-65, "roles 
cookie"]. 

As per claims 6 and 13, Grantges teaches the system/method of claims 1 and 8 
respectively, wherein said firewall and said directory communicate using secure socket layer 
communication [Grantges, col. 6, lines 37-42]. 

As per claim 15, Win teaches the method of claim 8, wherein step (a) comprises the step 
of receiving a network resource request from a client user at an internal network [Win, col. 2, 
lines 34-35]. 
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As per claim 16, Grantges and win teach the method of claim 8, wherein step (a) 
comprises the step of receiving a network resource request from a client user at an external 
network [Grantges, abstract, authenticating access for a client computer over an insecure, public 
network to one of a plurality of destination servers on private, secure network, Win, col. 2, lines 
34-35]. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 7 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over Grantges 

and win teach as applied to claims 1 and 8 above, and further in view of prior art of record 

Check Point Management Client, Version 1.0. 

As per claim 7 and 14, Grantges and Win fail to teach the system/method of claims 1 
and 8 respectively, wherein said firewall is configured to query multiple directories. 

Check Point Account Management Client discloses use of an LDAP server containing 
multiple branches [Page 139]. 

Therefore, it would have been obvious to one of ordinary skill at the time the invention 
was made to modify the LDAP server of Grantges and Win with the one disclosed by Check 
Point for its efficiency and enhanced security [see Check Point, page 13 for the disclosed 
advantages]. 
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Conclusion 



5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Taghi T. Arani whose telephone number is (571) 272-3787. The 
examiner can normally be reached on 8:00-5:30 Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Taghi T. Arani, Ph.D. 



Examiner 
Art Unit 2131 



